Off

Off disables secure HTTPS connections between both visitors and Cloudflare and between Cloudflare and your origin web server. Visitors can only view your website over HTTP. Any connections attempted via HTTPS result in a HTTP 301 redirect to unencrypted HTTP.

Flexible

The FlexibleSSL option allows a secure HTTPS connection between your visitor and Cloudflare, but forces Cloudflare to connect to your origin web server over unencrypted HTTP. An SSL certificate is not required on your origin web server and your visitors will still see the site as being HTTPS enabled.

Flexible is not recommended if your website contains sensitive information. Use Flexible only as a last resort if you are unable to setup SSL at your origin web server.

Full

Full ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your web server.

The FullSSL option does not validate SSL certificate authenticity at the origin. A self-signed certificate is allowed at the origin web server.

Full (strict)

Full(strict) ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your origin web server. Configure your origin web server to allow HTTPS connections on port 443 and present either a Cloudflare Origin CA certificate or a valid certificate purchased from a Certificate Authority. This certificate must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).

The Full(strict)SSL option checks for SSL certificate validity at the origin web server. A self-signed certificate cannot be used. A Cloudflare Origin CA certificate or valid certificate purchased from a Certificate Authority is required to avoid 526 errors.